Encryption is one of the most commonly utilized methods of securing the contents of data. Encryption is often used to secure data in transport and storage. In its basic form, encryption typically involves the use of algorithms for transforming plaintext data into an unintelligible form referred to as ciphertext. The algorithms used in encryption can be defined by the parameters used therein known as keys. Two well known encryption methods are symmetric methods using only private keys, and asymmetric methods which use public and private keys.
Using symmetric private key encryption, a sender encrypts data using a private key. The receiver then decrypts the data using the same private key. One deficiency of symmetric private key encryption is that both the sender and receiver must know the same private key. Thus, exchanging the key between sender and receiver can result in security risks including the risk of compromise or forgery of the private key.
Public key encryption is an asymmetrical encryption method involving the use of key pairs. Each key pair includes a public key and a private key. The holder of the private key can encrypt data using the private key. Only holders of the public key corresponding to the private key can decrypt the data using the public key. In turn, holders of the public key can encrypt data using the public key. The encrypted data can then be safely forwarded to the holder of the private key, since only the holder of the private key can decrypt the data. Typically, each user's public key is published in a public key file or embedded in a certificate. The user's private key can thus be kept secret.
Public key encryption provides increased security over private key encryption, since a holder's private key need not be revealed to anyone. Public key encryption also allows a recipient of data to prove the origin of the data. For example, the sender encrypts the data using their own secret private key. To validate the data, the recipient decrypts the data using the sender's public key. If the message is successfully decrypted using the sender's public key, the message must have originated from the sender, since only the sender has access to their private key.
In addition, digital signatures can provide a further level of protection. A sender can “sign” the data by encrypting it using their own private key. The sender can then package the signed data by further encrypting it using the recipient's public key. At the receiving end, the recipient decrypts the package using their own private key and then validates the sender's signature by further decryption using the sender's public key.
Digital signatures may also be formed using other methods. For example, data can be digested (hashed) into a single block using a one-way hash function. A one-way hash function has a property that it is computationally infeasible to construct any data that hashes to that value or to find data patterns that hash to the same digest. The digest can than be encrypted with the sender's private key. The resulting encrypted digest can then be appended to the encrypted or unencrypted data (encrypted using recipient's public key) as a signature. Upon receipt, the recipient decrypts the digest using the sender's public key. The recipient also digests (hashes) the data which was received unencrypted. If the data was received encrypted, it is first decrypted using the recipient's private key and then digested (hashed) using the same one-way hash function used by the sender. By checking the decrypted digest against the recipient generated digest, the senders's signature can be verified. This type of digital signature provides verification of the integrity of the data. That is, any modification of the data being sent will result in a different digest at the recipient's end and thus a comparison with the sender generated digest will provide an indicator that the data has been comprised. This type of digital signature also provides authentication of the origin of the data. For example, only the holder of the private key corresponding to the public key used to validate the digest could have signed the data.
To allow one user to identify another user for transmission of data in a manner that ensures the user's possession of a private key, the first user must be able to obtain the other user's public key from a trusted source. A Certification Authority (CA) provides such a trusted source. A CA issues public key certificates. Each certificate typically contains the user's name and public key, the issuing CA's name, a serial number and a validity period. The framework for public key certificates is defined in CCITT, “X.509: The Directory: Authentication Framework,” April, 1993 (“X.509”), which is herein incorporated by reference. In effect, the public key certificates bind a user's name to the public key and are signed by a trusted issuer (e.g., the CA).
Typically the certificate is signed by an authority of the CA prior to distribution. Recipients of data from the user can trust the signature, provided that the recipient recognizes the authorities public key enabling verification of the CA authority's signature and to the extent the recipient trusts the CA.
One difficulty with the CA framework is that the certificates do not provide any indication of the degree of trust or the level of responsibility with which the sender of the message should be given. That is, the CA only certifies that the identified trusted authority (CA) recognized the sender's public key as belonging to that person.
Attribute certificates provide a further degree of protection. Attribute certificates certify a digital signature in a way which indicates the authority that has been granted to the party being certified. The attribute certificates include, in addition to information identifying the public key and the name of the party being certified, an authority level which is being granted and limitations and safeguards which are being imposed. This information may indicate issues of concern to the certificate. For example, the information may include a monetary limit for the certifee and/or the level of trust given to the certifee.
Typically, in a corporate or business environment, each employee is assigned their own digital certificate. Each employee can use their public key to sign any document they like. The receiver of the signed document is then required to verify that the signer's certificate has not been repudiated. This is typically accomplished by the recipient checking a certificate revocation list in the sender the company's directory. The recipient can also verify that the employee was authorized to sign the document by retrieving the employee's attribute certificates from the company's directory.
However, these traditional methods do have drawbacks. For example, the recipient whom often works for a different company than the signer, has the burden of checking the authorization level of the employee. This exposes potentially sensitive internal corporate information to anyone the organization sends a signed document. For example, to properly verify the senders authority, the recipient requires access to potentially sensitive corporate information regarding who has authority within the company to sign what.
Another limitation is that as employees leave a company, their certificates must be revoked. A certificate may be revoked by placing it on a certificate revocation list (CRL). The recipient of a document must then also check that the signer's certificate has not been revoked, adding an additional burden to the recipients duties and providing the recipient with additional potentially sensitive internal corporate information.